Saturday, July 23, 2011

Tools from SANSFIRE

I love finding new tools. Maybe the functionality they provide is simply a shortcut to something I can do with other tools, eliminating a step or two and saving time, or else they might provide a way to do something I hadn't considered before. I came across a good number of new ones at SANSFIRE. I'll post the ones that caught my interest as I review my notes and books, in case one might fill a niche for you.
The first one is pcapcat. This is a perl script which parses through a packet capture, identifies and displays all the sessions by source IP and port and destination IP and port and displays them for you. You then supply a filename and pcapcat writes out the session to a new capture file. Not only does this save some keystrokes and time over using tcpdump, but it's also a handy way to see all off the sessions quickly and determine which ones are of interest. The tool was written by Kristinn Guojonsson to help answer a challenge on forensicscontest.com, which is found here. The actual code can be found here to paste into a new script on you analysis box.
Try it out and see if it'll help save you a little time (or if you're new to network security and aren't sure about all the tcpdump syntax yet, use this until you get up to speed)

No comments:

Blog Archive